Description
Memu Play 6.0.7 contains an insecure file permissions vulnerability that allows low-privilege users to escalate privileges by replacing the MemuService.exe executable. Attackers can rename and overwrite MemuService.exe in the installation directory with a malicious executable, which executes with system-level privileges when the service restarts after a computer reboot.
Published: 2026-03-21
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Immediately
AI Analysis

Impact

Memu Play 6.0.7 has a file permission flaw that allows users with limited privileges to replace the MemuService.exe binary. This executable can be overwritten in the program's installation folder using normal user rights. When the machine restarts, the service runs with system privileges and the replaced binary executes with full administrative rights, giving the attacker arbitrary code execution on the host. The weakness is improper privilege assignment to critical files and is classified as CWE‑306.

Affected Systems

The vulnerability affects Memu Play 6.0.7 released by Memuplay. No other versions are reported to contain this flaw.

Risk and Exploitability

With a CVSS base score of 9.3, the vulnerability is critical. EPSS data is not available and it is not listed in the CISA KEV catalog. An attacker only needs write access to the installation directory to replace the executable, so the risk is high when standard users can modify files in that location. The local privilege escalation can turn a low‑privilege user into a system administrator after a reboot, providing a straightforward exploitation path once the file replacement occurs.

Generated by OpenCVE AI on March 21, 2026 at 14:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the official Memu Play security patch or upgrade to a version newer than 6.0.7.
  • Verify that MemuService.exe and related files in the installation directory are protected from write access for standard users.
  • If an immediate patch is unavailable, modify the permissions on MemuService.exe to read‑only for users other than the system account to prevent replacement.
  • Restart the system only after verifying that no unauthorized executable has replaced MemuService.exe.
  • Regularly monitor the MemuPlay installation folder for unexpected file modifications or new executables.

Generated by OpenCVE AI on March 21, 2026 at 14:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Microvirt
Microvirt memu
CPEs cpe:2.3:a:microvirt:memu:*:*:*:*:*:*:*:*
Vendors & Products Microvirt
Microvirt memu

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Memuplay
Memuplay memu Play
Vendors & Products Memuplay
Memuplay memu Play

Sat, 21 Mar 2026 13:00:00 +0000

Type Values Removed Values Added
Description Memu Play 6.0.7 contains an insecure file permissions vulnerability that allows low-privilege users to escalate privileges by replacing the MemuService.exe executable. Attackers can rename and overwrite MemuService.exe in the installation directory with a malicious executable, which executes with system-level privileges when the service restarts after a computer reboot.
Title Memu Play 6.0.7 Privilege Escalation via Insecure File Permissions
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Memuplay Memu Play
Microvirt Memu
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-23T16:36:43.619Z

Reserved: 2026-03-21T12:36:43.551Z

Link: CVE-2019-25568

cve-icon Vulnrichment

Updated: 2026-03-23T16:36:38.705Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-21T13:16:20.470

Modified: 2026-04-21T16:48:38.030

Link: CVE-2019-25568

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:47:15Z

Weaknesses